Department of Homeland Department of Homeland SecuritySecurity

Incident response and Incident response and vulnerability analysisvulnerability analysis

Seán Paul McGurkSeán Paul McGurkNational Cybersecurity and CommunicationsNational Cybersecurity and CommunicationsIntegration CenterIntegration CenterU.S. Department of Homeland SecurityU.S. Department of Homeland Security

HomelandSecurity

Cyber Incident Response and AnalysisCyber Incident Response and Analysis

HomelandSecurity

ICS-CERTProvide operational support for critical infrastructure stakeholders to respond

and defend against emerging cyber threats

ICS-CERTProvide operational support for critical infrastructure stakeholders to respond

and defend against emerging cyber threats

Incident ResponseProvide on-site assistance

and off-site analysis to bridge information gap

Incident ResponseProvide on-site assistance

and off-site analysis to bridge information gap

Technical AnalysisPerform digital media

analysis for malware and consequences

Technical AnalysisPerform digital media

analysis for malware and consequences

Partnering Provide disclosure through

advisories, alerts, bulletins and information sharing

Partnering Provide disclosure through

advisories, alerts, bulletins and information sharing

Situational Awareness

Observe, identify, acquire, or receive relevant ICS

information

Situational Awareness

Observe, identify, acquire, or receive relevant ICS

information

• Awareness of emerging issues and threats• State of the art analysis capabilities specific to ICS• Incident response support for recovery and future defense• Established partnership for immediate support and guidance• ICS-CERT collaboration with other agencies and partners

Benefits to the ICS and Critical Infrastructure Community

HomelandSecurity

ICS-CERT: ProductsICS-CERT: Products

Alerts

Advisories Website & Portal

HomelandSecurity

ICS-CERT and the NCCICICS-CERT and the NCCIC

• The National Cybersecurity and Communications Integration Center is comprised of organizational components and operational liaisons

• Components refers to DHS organizations that have a major presence on the NCCIC floor

• Operational Liaisons refers outside agencies such as ISACs, Law Enforcement and Industry

• The execution of NCCIC’s mission relies on coordinated operations that contribute to all products and services

Law Enforcement Intelligence Community

D/A

SO

CIS

AC

sIndustry DHS NOC

NIC

CD

OD

NCSC

US-CERT

NCC

I&A

ICS-CERT

5

National Cybersecurity and Communications Integration Center

HomelandSecurity

• Assist asset-owners– Onsite “flyaway” teams– Network architecture– Data collection– Mitigation

• Offsite technical analysis teams– Analysis of collected data– Customer reporting

• Bridge threat awareness gap

Incident Response SupportIncident Response Support

HomelandSecurity

Incident Response ExampleIncident Response Example

Company-X request for assistance

Information package

ICS-CERT Operations

Pre-deploymentPre-deployment

HomelandSecurity

Incident Response ExampleIncident Response Example

Company-X ICS-CERT Operations

Drive Images

OnsiteOnsite

Technical Analysis

HomelandSecurity

Incident Response ExampleIncident Response Example

Company-XPost-deploymentPost-deployment

Technical Analysis

ICS-CERT Operations

HomelandSecurity

Fly-Away Team ObservationsFly-Away Team Observations

• Increase in control systems owner/operator’s desire to understand the threats to their systems and how to mitigate risks

• Increased security measures are needed not only to prevent cyber attacks, but to detect and respond to incidents and mitigate the overall risk

• Trends in the usage of USBs and other removable media have introduced and spread malware– USB thumb or flash drives have found their way into many networks

– USB drives offer malware authors an unprecedented ability to circumvent customary network access controls and protections

– Control systems are susceptible to attacks via USB drives since they tend to be isolated from the internet and business network and are, therefore, used to push out updates to the system

HomelandSecurity

Control System Vendor’s Response Control System Vendor’s Response

• Developing internal incident response teams or CERTs for triaging major issues

• Notifying their consumer base through increased advisories and communications

• Collaborating with ICS-CERT on vulnerability related issues, including testing of mitigations and workarounds

• Participating in working groups such as the Industrial Control Systems Joint Working Group (ICSJWG) to collaborate with other vendors and solicit feedback from owner/operators.

• Overwhelming response to participate in the Program’s week-long ICS advance cybersecurity training.

HomelandSecurity

Cyber Security Evaluation Tool (CSET)Cyber Security Evaluation Tool (CSET)

CSET Features• Assessment Covers Policy, Plans, and

Procedures in 10 Categories• Provides recommended solutions to

improve security posture • Allows for standards specific reports (e.g.,

NERC CIP, DOD 8500.2, NIST SP800-53)

Recent Accomplishments

• Issued Version 2.0 of the Tool– The embedded Global Assessment cross-

references multiple standards

• Version 3.0 in development – planned completion in Sept 2010

• Distributed over 1,000 copies since October 2009 to asset owners in 15 different sectors

HomelandSecurity

Assessments: On-Site SupportAssessments: On-Site Support

• CSSP used the CSET to assist critical infrastructure asset owners in conducting self-assessments– Completed 50 assessments in multiple sectors

• Assessments teams assisted infrastructure asset owners in 17 states and territories, including several remote locations where the control systems represent ‘single-point failures’ for the community

• CSSP encourages asset owners to identify their security gaps and implement the recommended mitigation strategies

HomelandSecurity

On-Site Assessment ObservationsOn-Site Assessment Observations

• Weak or nonexistent cybersecurity policies and practices. – Lack of a formal documented program and procedures – Need for an established cybersecurity team – Need for incident response and disaster recovery policies and/or

directives

• Insufficient control of remote logging and access. – Weak enforcement of remote login policies – Weak port security – Network architecture not well understood and internal networks

not segmented – Flat networks--devices not properly configured

HomelandSecurity

On-Site Assessment Observations On-Site Assessment Observations continuedcontinued

• Media protection and control. – Weak control of incoming and outgoing media – use

of USB drives

– Lack of encryption implementation

• Audit/logging events. – Insufficient methods for monitoring and control

network events

– Lack of understanding of disaster recovery techniques

• Weak Testing Environments. – Limited patch management abilities

– Weak backup and restore abilities

– Weak firewall rule sets        

HomelandSecurity

Industrial Control Systems Joint Working Industrial Control Systems Joint Working Group (ICSJWG)Group (ICSJWG)

• Provides a vehicle for collaboration between government and private sector control systems stakeholders

– Government Coordinating Council – Sector Coordinating Council– Subject Matter Experts– International Community

• Fosters information sharing and coordination of activities and programs across government and private industry stakeholders involved in protecting CIKR

• Includes 6 subgroups – Volunteers welcome

Vendors Research and Development International ICS Roadmap Development Workforce Develop Information Sharing

HomelandSecurity

Contact InformationContact Information

Report Control Systems cyber incidents and vulnerabilities

– ics-cert@dhs.gov– 877-776-7585

Report general cyber incidents and vulnerabilities – www.us-cert.gov or soc@us-cert.gov– 703-235-5111, 888-282-0870

Sign up for cyber alerts – www.us-cert.gov

Learn more about Control Systems Security Program– www.us-cert.gov/control_systems– cssp@dhs.gov

HomelandSecurity